Terms of use

1. Service and owner

1.1. “ATTACK SIMULATOR” (hereinafter, the “Service”) is a digital service that can be accessed via the www.attacksimulator.com website (hereinafter, the “Website”) that offers any client that subscribes to it (hereinafter, the “Subscriber”) the ability to simulate believable cyberattacks of different types, also known as attack campaigns (including, but not limited to, ransomware, spam, phishing and malware), with the purpose of establishing: (i) the computer security skill level of the Subscriber’s employees and the users’ detection effectiveness; and (ii) the training required by his qualified personnel to prevent and recognize the attacks, thereby maintaining a secure environment and preventing and/or minimizing the hazards that these types of attacks may cause on the Subscriber’s environment. The Service comprises the web pages, servers, programs and any other component and/or element that composes it, as well as (i) the technical information, installation manuals, instructions for use or any other documentation related to the Service; (ii) the images, photographs, sounds or other proprietary files; and (iii) any Service version, update, modification and/or upgrade.

1.2. The Service is owned by THE THIRD ITERATION SRL (hereinafter, the “Owner”), a Romanian entity whose place of business is in Aleea Negoiu 21, Gilau, Cluj, Romania, holder of tax identification number36915314 (EU VAT 40599350), website www.attacksimulator.com and e-mail contact@attacksimulator.com.

1.3. These terms and conditions of use (“Terms of Use”), along with the “Subscription Service License,” are binding for Subscribers hiring the Service, who will be required to accept them before hiring the Service, as well as for the Users associated with the Subscriber’s account, who shall be informed of these Terms of Use for their express acceptance prior to the use of the Service.

2. Service Subscription and categories.

2.1. In order to access and use the Service, the Subscriber will be first required to subscribe to any of the Service Plans provided, whose duration shall be as set forth herein and/or as per the specific conditions of the Subscriber’s subscription, when applicable. The Service allows Subscribers to choose among the following Service Plans:

• INTENSIVE ATTACK SIMULATOR, whose duration is three (3) months.

• CONTINUOUS EDUCATION PROGRAM, monthly service with a custom-tailored duration depending on the specific conditions of the Subscriber’s subscription.

• PERSONALIZED TRAINING, which is the most complete subscription category and enables the Service’s features, including its duration, to be personalized, depending on the specific conditions of the Subscriber’s subscription.

2.2. Each Service Plan will have a specific price that those interested in hiring the Service may see at any moment on the Website, along with the specifications and characteristics of each of them.

2.3. All Service Plans offer the following features:

• Subscriber’s account maintenance and management, including the creation and assignment of user accounts and permission management;• design and programming of simulated cyberattack campaigns to be directed exclusively at those employees of the Subscriber that have been previously marked for that purpose in their account;• assignment of a unique identifier for each of the Subscriber’s campaigns, to facilitate their management and an adequate rendering of the Service;• customer service to address everyday inquiries about the use of the platform; and• technical support in case of incidents related to the platform.

2.4. The Owner expressly reserves the right to perform any modification to the Service, specifically including the development and deployment of new functionalities, and the modification, adaptation and/or elimination of current Service characteristics and functionalities. Furthermore, the Owner reserves the right to set new prices for the Service, after prior notice to the Subscribers, as well as to modify and/or add categories and Service Plans.

3. Subscribers and Users

3.1. Any person, organization or company that hires the Service shall be deemed to be a Subscriber. The Subscriber may create one or more user accounts and assign them to each natural person, who, under the Subscriber’s coordination, authorization and direction, may access and use the Service as per its purposes (hereinafter, the “User”).

3.2. In order to register his account, the Subscriber shall be required to complete the form for that purpose found in the Website. The Subscriber shall be required to have a valid e-mail account to receive the Service License, as well as any messages or notifications necessary for the proper functioning of the Service.

3.3. During the registration process, the Subscriber will provide the information used to authenticate his account, which he may use to access the Service. Once registered, the Subscriber will need to create the User accounts linked to his account, once again specifying the passwords for each of them.

3.4. The Subscriber and/or Users will be the ones who will provide the Service Owner with the information of the Subscriber’s employees that each of the simulated cyberattack campaigns hired by the Subscriber pursuant to the Service will be directed to, specifying, among others, their names and surnames, e-mails and the name of the department they belong to, for each of them. It is the sole and exclusive responsibility of the Subscriber to have the proper authorization to do so by any of the employees affected by the performance of the hired Service.

3.5. When completing the registration process, the Subscriber will acknowledge and accept these Terms of Use, and he is bound to, and agrees to, notify these terms and conditions to all of the Users that he links to his account, by means of the procedure in place for that purpose within the Service, as well as to obtain their express acceptance of them before providing them access to the use of the Service.

3.6. Any provided information for the Subscriber, the linked Users or the Subscriber’s employees that may be targeted by the campaigns performed pursuant to the Service shall be accurate, truthful, current and complete, and it shall be the responsibility of the Subscriber to keep them updated at all times. The Subscriber and the Users shall be responsible for the safekeeping of their identifiers, passwords or any other Service identification and access information, and shall be liable for any damages that may result from their improper use, assignment, disclosure or loss.

4. Use of the Service

4.1. The Subscriber and the linked Users may only use the Service as per the functionality intended by the Owner, and shall, under all circumstances, be liable for the use of the Service. Furthermore, the Subscriber and the Users agree to use any of the components and/or elements that compose the Service adequately and in an acceptable manner. The Subscriber and the Users agree to refrain from using the Service in a way other than that which is implied by its purpose, including, but not limited to, introducing computer viruses on the network, using user accounts from others and/or carrying out any wrongful or unlawful act, and/or any act that is contrary to public order and good faith. In addition, they shall refrain from using the Service in a way that may be damaging to the rights and interests of the Owner or third parties, or than may in any way damage or hinder the image or reputation of the Owner, or prevent the normal use or enjoyment of the Service.

4.2. The Subscriber and the Users shall refrain from using the Service for purposes that include, but are not limited to:

a) harassing or disturbing third parties and/or violate their intimacy and privacy;b) steal the identity of other users or third parties;c) spy on other users or third parties;d) disclose the location of other users to third parties;e) undermine the reputation, image and honor of other users or third parties; andf) advertisement, with the purpose of promoting products, services or activities of third parties or their own.

4.3. The Subscriber and the Users agree to comply with all provisions contained herein, as well as in any notice, usage guidelines and instructions provided by the Owner and that are accessible to them, in relation to the use of the Service.

4.4. In the event that a use of the Service that is contrary to that which is set forth herein is detected, the Owner reserves the right to block the access and/or use of the Service by the Subscriber and/or his Users, delete their accounts, and/or take any legal actions it deems appropriate.

5. Pricing and payment method

5.1. The subscription to the Service shall be activated upon the payment of the first instalment for the category chosen by the Subscriber at the moment of registration. The subscription shall remain active as long as the Subscriber pays the agreed-upon instalments, as per the corresponding payment period. The Owner will publish any information related to the various categories and Service Plans offered, including the corresponding subscription prices, on the Website.

5.2. The Provider commissions the collection of the instalments to a payment gateway service provider. The Service shall manage the collection of the amount for the first instalment of the subscription, corresponding to the selected category, as well as the collection of the subsequent periodic instalments, through the aforementioned payment gateway. In this payment gateway, the Subscriber may opt to perform the payment for the total of the corresponding instalment by any of the following payment methods:

a) credit or debit card;b) bank transfer;c) PayPal;d) other systems that may be defined in the future.

6. Intellectual and Industrial Property Rights

6.1. All components and/or elements that compose the Service, including, but not limited to, the software, source code, designs, interfaces, patents, trademarks, logotypes and any other components and/or elements are protected by intellectual and industrial property rights owned by the Owner, whether as a result of being the original owner of such rights, or by having the appropriate authorizations or licenses by their third party owners for their use as part of the Service. None of the aforementioned components and/or elements that compose the Service may be used beyond the terms set forth in the Service License.

6.2. The Subscriber and the Users shall refrain from circumventing any measure or device put in place to guarantee the intellectual and industrial property rights of any of the components and/or elements of the Service.

7. Privacy Policy

7.1. All personal data of the Subscriber and the Users linked to his account, whether collected at the time of the account registration, or during the use of the Service, will be added to a database owned by the Owner, who shall be the data controller, with the purpose of being used for the management and rendering of the Service, as well as, if expressly agreed by the interested party and separately from his consent to the collection of his data for such purpose, for the sending of any advertisement message related to its products and/or services. The Owner shall process the data solely for the purposes consented to by the interested parties, in a lawful, trustworthy and transparent manner, and agrees to comply with all obligations set forth by the personal data protection laws in effect (hereinafter, the “Data protection laws”).

7.2. The interested parties may exercise, at any time, the rights that they are legally entitled to; in particular, the rights to access, rectify, delete and object, as well as the rights to erasure, limitation and portability, by sending an e-mail at contact@attacksimulator.com, duly identifying themselves and clearly specifying the purpose of their request. Under all circumstances, given that the effective performance of the Service requires counting with the aforementioned personal data of the Subscriber and the Users linked to his account, the request to delete the data shall result in the termination of the subscription to the Service and the deletion of his account, except in the event that such deletion is limited to the sending of advertising messages.

7.3. Furthermore, the Owner shall process the personal data of the Subscriber’s employees provided by the Subscriber as a Data Processor, with the sole purpose of rendering the Service. This processing shall be performed on behalf of the Subscriber and as per his instructions and mandate. The Subscriber is obligated, and agrees, to previously obtain the express authorization of the employees whose data he provides to the Owner for the rendering of the Service, so that it can process the aforementioned data for the aforestated purposes, and in all circumstances, the Subscriber shall be solely and exclusively liable for the failure to be duly authorized by the employees, and the Owner shall be held harmless from any claim that may result from such noncompliance.

7.4. The Owner shall be authorized to subcontract the following providers for the performance of the service, if applicable, who shall act as data processors, with the purpose of individually rendering the corresponding services below:

• Amazon Web Services – database storage services• Sendgrid – Mass mailing service used for the transfer of the simulated attacks• Digital Ocean – hosting service for the web pages related to the simulated attacks

7.5. A third party to whom the Owner commissions the rendering of payment services, and who will be the only party responsible before the Subscriber for both the rendering of the service itself and for the processing of the personal data necessary for that purpose, including the corresponding banking information, shall handle the collection of the instalments corresponding to the acquired subscription, based on the hired category. This payment service shall include access to a payment gateway to which the Service will connect during the registration procedure for the collection of the first instalment corresponding to the hired category, as well as the collection of subsequent periodic instalments. The Owner will, at no time, store or have access to the banking information or other personal data provided by the Subscriber at the moment of making the payment through the aforementioned service, rendered by a third party, other than receiving the confirmation of the payment made by the Subscriber and the corresponding amount. To see the details of the processing of this personal data, the Subscriber may see the information provided by the owner of the payment service, who will be duly identified upon completing the subscription.

7.6. The personal data provided by the Subscriber and the Users linked to his account shall be accurate, truthful and current, and it shall be their exclusive responsibility to keep them updated at all times. Failure to do this shall result in them being liable for any damages that may arise as a result. Furthermore, the Subscriber and the Users linked to his account shall be responsible for the proper safekeeping of their respective identifiers, passwords or any other data used for identification and/or access to the Service, and they shall be liable for their improper use, assignment, disclosure or loss.

7.7. The Owner agrees to, at all times, care for the security and the compliance with the Data Protection Laws. For this purpose, it shall adopt the necessary technical and organizational security measures that are appropriate and sufficient, based on the characteristics of the processing, the type of data processed and the technology employed in the rendering of the Service, with the purpose of guaranteeing the data security, ensure its confidentiality, and prevent its undue processing, damage or loss. Furthermore, the Owner shall also make sure that the providers that intervene in the rendering of the Service as data processors adopt the necessary security measures, previously verifying that the specifications of their respective services allow it to guarantee the fulfilment of such commitment. In any event, the Owner shall provide the Subscriber with any information requested in relation to the purpose and lawfulness of the processing, the interested party and the personal data affected by such processing, the duration of its storage, and the rights that he may be entitled to, including the right to withdraw the consent to the processing, as well as file, when applicable, a claim before the control authority.

7.8. The Owner shall keep a record of all the personal data processing performed for the purposes of the rendering of the Service, informing its contact information and that of the data processors hired, if any, and specifying the nature and category of the data processed and the security measures implemented. In the event of any incident, or if any breach were detected in relation to the security of the personal data being processed, the Owner shall act immediately to prevent, reduce or minimize its effects, as well as to remedy or modify whatever is necessary and, if applicable, it shall notify the local Data Protection Agency within the established period.

7.9. Upon termination of the subscription for any reason, the Owner shall immediately destroy or, when applicable, return the personal data of the Subscribers and the Users linked to his account to the interested parties, and shall under no circumstance have the obligation to store them.

7.10. Any future modification to this Privacy policy shall be duly notified through the Service’s Website.

8. Service Security

8.1. The Owner shall not be obligated to control the presence of any virus, worm or any other computer element that may be harmful, destructive or hazardous in the equipment and computer resources of the Subscriber, his employees and other Users linked to his account. It is the responsibility of the Subscriber to have in place and implement the adequate tools for the detection, protection and disinfection of malware or any computer program that may result harmful or destructive or hazardous on his equipment and computer resources, including those of his employees and of the Users linked to his account. Consequently, the Owner shall, under no circumstance, be liable for any damages to the equipment and computer resources of the Subscriber, his employees and the Users linked to his account.

9. Cookie Policy

9.1. The Owner uses cookies with the purpose of collecting information about the use of the Service via the Website. The cookies are storage and data recovery mechanisms that are installed in the Subscriber’s and the Users’ computers for the purpose outlined herein, and to provide them with a better browsing experience.

9.2. Use of the Service implies that the Subscriber and the linked Users consent to the installation of cookies on their computers or devices for the purposes stated herein. Their refusal to using cookies may result on the use of the Service being affected, or for certain features to stop being operational, or even for it to be impossible to render the Service.

Types and purposes of cookies in use:

a. Technical cookies: they enable the navigation of the Website and the use of the different options or services it offers, such as controlling the traffic and data transfer, identifying the session, accessing restricted access sections, remembering the items contained in an order, performing an order’s purchasing process, completing a registration or event participation request, using security features during navigation, storing contents for the publishing of videos or sound, or sharing contents through social networks.b. Personalization cookies: they enable access to the Service with certain general predefined characteristics based on a series of criteria from the User’s terminal, such as, for example, the language, the type of browser used to access the Service, the regional configuration from which the Service is accessed, etc.c. Analytical cookies: they are used by the Owner, or owned by third parties, and they allow whoever is in charge of them to track and analyze the behavior of the Subscriber and the Users of the Website linked to the Service. The information collected by this type of cookie is used to measure the activity in websites, applications or platforms, and to make navigation profiles for the users of those sites, applications and platforms with the purpose of introducing improvements based on the analysis data of the usage that users give to the Service.d. Advertising cookies: the allow for an effective management of advertising spaces included in the Service, including the garnishment of navigation profiles that allow for the collection of information related to the Subscriber’s and Users’ behavior, enabling the content of the advertisement to be tailored to them.

Cookie configuration:

During the navigation of the Service’s Website, the Subscriber and the Users have the option to allow, block or delete the cookies installed on their computer by configuring the options in the browser they use. The instructions to configure the use of cookies in the browser can be seen in the following links:

In case another browser is used, the Subscriber and the Users may obtain information on configuring the use of cookies in their computers through their browsers’ help. In case they need help to configure the cookies in the aforementioned browser, the Subscriber and the Users may send an e-mail at contact@attacksimulator.com, and the Owner will promptly contact them.

Changes:

If deemed appropriate, the Owner may modify this cookie policy, and it shall be the responsibility of the Subscriber and the Users to periodically read the policy in effect at any given time.

10. Transfer of Confidential Information through the Service

10.1. Any information submitted by the Subscriber and/or his linked Users through the Service shall be treated as confidential and with due respect. Notwithstanding the foregoing, the Owner may delete that information when it considers it to be inappropriate or offensive, or it may allow access to the aforementioned information to the Courts and Authorities with Jurisdiction that so request it, as long as said access is in compliance with applicable laws.10.2. The Owner may send messages for advertising purposes to the Subscriber and his linked Users as long as a prior authorization exists for that purpose, and solely in relation to its own products and/or services.

11. Technological limitations

11.1. As a result of the performance of maintenance work, in specific cases there may be temporary interruptions to the Service. Furthermore, the Owner notifies that, in addition to the aforestated, a great variety of factors exist that may affect the functioning of the Service, including, but not limited to, environmental conditions, network saturation, connectivity, third-party software, etc.

12. Links to the Website

12.1. The Subscriber and/or his linked Users may establish links that lead to contents on the Website in third-party websites and applications, as long as, based on the way in which the link is implemented, it is evident that it links to a website other than the one in which the aforementioned link is located.12.2. Under no circumstance may links be included in a website or application which contains wrongful or unlawful contents, or contents that are contrary to good faith. Furthermore, such links may not be added to websites or applications with strongly sexual or violent contents. In addition, links may not be added to websites or applications whose contents include, but are not limited to, xenophobic, discriminatory or pornographic contents, or contents that in any way go against people’s dignity.

13. Service Improvements

13.1. With the purpose of improving the Service, the Owner may, at its own discretion, at any time and without prior notice, modify any component and/or element of the Service or its operation, technical and usage conditions.13.2. Furthermore, the Subscriber and/or the Users may suggest any modifications they deem useful to the Owner with the purpose of improving the Service, as well as obtain any additional information or have their inquiries, complaints or suggestions addressed, by contacting the Owner via the Website. This shall, however, imply no obligation whatsoever for the Owner.

14. Disclaimer

14.1. The Owner shall not be liable for any decision taken by the Subscriber as a consequence of the rendering of the Service, or for any damages that may result from them, either to the Subscriber or to third parties.14.2. The Owner shall, moreover, not be liable for the speed, the navigation quality and the use and access to the Service, which shall depend on the technical conditions agreed upon with their service providers. Therefore, the Owner shall not be liable for the inability to access the Service, or for the discontinuation or cancellation of such access, or for issues with the connection to the communications network used by the Subscriber and/or Users linked to his account to access the Service, or for failures caused by third-parties. It shall, furthermore, not be liable for the continuation and availability of the Service when this cannot be guaranteed for causes not attributable to the Owner.

15. Duration and termination

15.1. These Terms of Use shall remain in effect during the entire time that the Subscriber maintains an active subscription to the Service, by maintaining the registered account and using the Service himself and/or having his linked Users use the Service, until the Subscriber otherwise terminates the aforementioned account.15.2. The Owner reserves the right to deny or terminate access to the Service and the services provided through it, if any, to any Subscriber and/or User that fails to comply with these General Terms of Use.

16. Modification to the General Terms of Use

16.1. The Owner reserves the right to modify these General Terms of Use at any moment without prior notice, and it shall be the responsibility of the Subscriber and the Users linked to his account to periodically review them.

16.2. Under all circumstances, before hiring and/or using the Service, the Subscriber and the Users linked to his account shall be required to accept the General Terms of Use in effect at the time, which will be at their disposal.

17. Written notifications

17.1. By accepting these General Terms of Use, the Subscriber and the Users agree for most communications with the Owner to be carried out by electronic means. The Owner will preferably contact the Subscriber and the Users through its e-mail, or via notices published through the Service.

17.2. Under all circumstances, the Subscriber and the Users agree to use electronic means for any communication related to the Service, and they acknowledge that any and all notifications, information and other communications sent by the Owner through electronic means comply with the legal requirements of having been made in writing.

18. Jurisdiction and applicable law

18.1. These General Terms of Use shall be governed as per the provisions set forth in the Laws of the United States of America, notwithstanding the user and consumer protection regulations that may apply.

18.2. In the case of conflicts resulting from the performance of the Service, the parties expressly waive any other venue or jurisdiction to which they may be entitled, and agree to submit to the exclusive jurisdiction of the Courts of Delaware (USA).